[Owasp-leaders] Penetration Testing Guidance

Jim Manico jim.manico at owasp.org
Fri Mar 27 20:16:10 UTC 2015

Thanks for pointing this out.

A few notes:

1) A slight de-emphasis in the OWASP Top Ten, a sign of maturity I think.

" ...It was during this step that testing of the applications for issues 
related to the OWASP Top 10 *and other web application frameworks* took 
place. Penetration Testing Guidance "

"... Discussion of the penetration tester’s familiarity with testing to 
validate the OWASP Top 10 *and other similar application secure-coding 
standards* and examples of application penetration testing efforts 
conducted by the organization may be warranted. Penetration Testing 
Guidance "

2) More emphasis on the OWASP Testing Guide (a much more comprehensive 
guide to assessment that any other OWASP resource).

"... An examination of this type could be conducted in accordance with 
information system security assessment best practices such as described 
by the Open Source Security Testing Methodology Manual (“OSSTMM”), The 
National Institute of Standards and Technology (“NIST”) Special 
Publication 800-115, Technical Guide to Information Security Testing and 
Assessment, or the *Open Web Application Security Project (OWASP) 
testing methodology as defined in the **OWASP Testing Guide v.3.0**.* "

Pretty cool. A good step. I look forward to the day when PCI and other 
standards start referencing ASVS  - it's probably one of the more 
important standards that addresses what PCI is really looking for, I 
dare say.


On 3/27/15 1:43 PM, Tom Brennan wrote:
> Congratulations to the many persons that have contributed in one way 
> or another to OWASP projects that have been referenced in the revised 
> standard that was issued from the PCI Standards Council
> https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf 
> The full scope document will IMHO help organizations better understand 
> and scope projects and that is a win-win for everyone involved with 
> being proactive about risk.
> It will also bring additional positive visibility to the OWASP 
> Foundation worldwide including the OWASP PCI Toolkit 
> https://www.owasp.org/index.php/Category:OWASP_PCI_Project and many 
> others.
> #TGIF well done!
> Semper Fi,
> Tom Brennan
> https://www.linkedin.com/in/tombrennan 
> <https://www.linkedin.com/in/tombrennan>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150327/6581da3c/attachment.html>

More information about the OWASP-Leaders mailing list